FortiGate IPv4 vs. IPv6 Performance Speedtests

I was interested in the performance of my FortiGate firewall when comparing IPv4 and IPv6 traffic. Therefore I built a small lab consisting a FortiWiFi 90D firewall and two Linux clients running Iperf. I tested the network throughput for both Internet Protocols in both directions within three scenarios: 1) both clients plugged into the same “hardware switch” on the FortiGate, 2) different subnets with an “allow any any” policy without any further security profiles, and finally, 3) activating antivirus, application control, IPS, and SSL inspection.

Laboratory

Both clients (notebooks) booted with the live Linux Knoppix in version 7.6.1. The FortiWiFi 90D ran at software version v.5.2.5, build701. The security policies for tests 2 and 3 looked like that:

IPv4 Policy withOUT Security Profiles

IPv4 Policy with Security Profiles

IPv6 Policy withOUT Security Profiles

IPv6 Policy with Security Profiles

I started Iperf on one of the notebooks in server mode (with either IPv4 or IPv6),

1

2

iperf-s

iperf-s-V

and ran the other notebook as the client: (Yes, I really used the 2001:db8::/32 for testing purposes this time.)

Here is a screenshot of the FortiGate Traffic Forward log that shows some IPv4 and IPv6 runs:

Results

These are the results:

When plugged into the same hardware switch on the FortiGate unit (no routing, only layer 2), the speed for both protocols was almost the same and very good (around 930 MBit/s).

When routed through the FortiGate, IPv4 had almost the same speed while IPv6 dramatically dropped its rate to about 150-180 MBit/s (yellow and green bars).

With activated antivirus scanning, etc., the Rx path was at about 40 MBit/s which is perfect due to the official data sheets that list 41 Mbit/s for mixed IPS throughput. However, the Tx path was the same for IPv6 with only about 150 MBit/s.

Conclusion

Of course, these results are only true for this single FWF-90D firewall. It only has an NP4-lite processor which is not capable of IPv6. Bigger firewalls with the newer NP6 claim that they have the same speed for IPv4 as for IPv6. Hopefully they will. The measured IPv6 throughput with this firewall is obviously not that good!